estimating the safety of digital instrumentation and ...€¦ · to avert mishaps, the system...
TRANSCRIPT
![Page 1: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/1.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
www.elkjournals.com
………………………………………………………………………………………………
ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND CONTROL
SYSTEMS IN NUCLEAR POWER PLANTS: A CASE STUDY
Mishti Tambe J R Patil
INTRODUCTION
With the swift development of digital
technology, there exist several disputes
concerning variation in technology for the
appraisal of licensing plans. Attributed to this
variation, there is a possibility of having
indefinite shortfalls. Despite numerous
advantages of digital instrumentation and
control systems including self-testing, on-
line diagnostics, enhanced precision, fault
tolerance, and automated sensor calibration
substantiation, there are several gaps such as
software logic faults and unexpected system
interfaces for filtering the digital noise and
depreciations that occur from the effect of
configuration deviations during power [NEI,
2011]. While there are numerous concerns, it
is essential to be acquainted with the
changing technologies.
For authorizing digital I&C systems, there
may perhaps be a possibility for failure in
I&C systems due to a common reason.
Software systems that are alike have been
employed in security systems. However in
the case of an erroneous program
unintentionally devised in the software, the
systems are not accurate and behave
adversely in all the frequencies of the security
systems. According to NRC, to prevent
failures befalling due to common sources in
extremely reliable digital systems, asserting
the quality unaided is not sufficiently
efficient.
THE PROBLEM
Various useful approaches are present for
assuring safety in the conventional electro-
mechanical safety systems. However, the
long-established Nuclear Power Plants
![Page 2: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/2.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
(NPPs) have safety assurance techniques that
are not related to software.
Unlike the hardware systems, the software
systems will not break down as they are an
abstract concept that does not have a physical
realization and may comprise of merely
systematic design faults. This perception of
the software systems confines physically, but
enables encompassing novel and instigating
facets and functionalities in the design
thereby levitating the complexities and
varying the categories of breakdown. In
digital systems, breakdown can be basically
of two types. One, wherein the hardware
crashes similar to the analog hardware and
the safety for these crashes includes having
more number of hardware components of the
same configuration. The second type of
breakdown involves the software crash that
may ensue due to the erroneous programs that
are inept for that system. To overcome these
issues, having redundant channels is not
adequate. As per Knight and Leveson (1986),
creating software with many versions by
diverse groups does not elucidate the
software crashes. However, several
researchers argued with this study, only to
stay in line with it (Knight and Leveson,
1990). Since errors are made systematically,
distinctly developed software probably
contains errors that are a result of common
sources.
The critical software crashes were ascribed to
the requirements stage and not the
implementation stage of the software
(Leveson, 1995). While in several cases, the
crashes have occurred because of omitting
some vital ideas or unsuitable conventions in
the requirements stage. In many other cases,
the software developers may possibly
misinterpret or oversee a specific
requirement that were not expected.
Although the software may cater to the
requirements specified, it may not be feasible
safety wise. Aforementioned, creating
numerous versions of the same software may
not aid for this issue.
Contrariwise, the hardware systems may be
comprehensively inspected disparate from
the software systems and the faults could be
fixed before being used. Besides, the
hardware systems in majority of the cases are
not innovative but they conform to the
standard designs that have been in the
industry for several years. The software used
in the U.S. commercial aircrafts (TCAS II)
for preventing collisions was computed to
comprise of 1020 conditions. Permanency of
the system that enables the testing of the
boundless hardware systems by means of
![Page 3: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/3.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
interpolation amid the test inputs was not
applicable to discrete-state digital systems.
The software system design is mostly
implemented for overcoming the concerns
dealt with the hardware systems bringing in a
new outlook for efficient systems as reusing
software will not prevail over the issues in the
existing systems (Joyce, 2002; Leveson,
2012). Further Leveson (2004) reported that
the shortcomings of the spacecraft in the last
ten years were due to reusing the software of
the other spacecraft. Since in several cases,
the reuse was effective, the assumption made
was negated.
The stipulation is that the functionality of the
software is the replacement for the hardware;
however, the breakdown occurring from the
software is different from the hardware
breakdown. Considering the failure of the
analog mode annunciator in a NPP, the
screens remain blank indicating failure. On
the other hand, the failure of a digital box
executing similar types of function, the
screens suspend that may seem to be time-
consuming for identifying the exact failure.
Software breakdowns are contemplated to be
ensuing because of the misleading
requirements.
In addition to the longstanding consistency
improving design methodologies being
useless for software, the software is
producing novel categories of crashes and
different causes of crashes that perhaps may
be dissimilar from the consistency of the
distinct elements. According to Leveson
(2012), the software crashes in the systems
are ever more instigated by insecure
interfaces amid functioning elements. The
crashes occurring due to the interface
between the elements are not regulated by the
typical redundancy and overdesign that are
more applicable contrary to the breakdown of
the hardware elements and the businesses
that are incorporating the digital technology
have been subjected to such concerns. The
nuclear power industry normally follows
traditional technologies, however in recent
times, it has approached the level of system
complexity where crashes due to interface
between the elements will progressively
befall.
The desecration of these rudimentary
contributing conventions regarding
breakdowns that transpire during the use of
software signifies that several traditional
methods for assuring safety do not pertain to
the digital modules of the systems. The
difficulty of improving software assurance
![Page 4: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/4.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
for safety-critical functions and assimilating
the approaches with traditional design and
assurance methods for providing an efficient
way of planning and verifying or authorizing
mixed analog and digital instrumentation in
NPPs.
A POSSIBLE SOLUTION
For incorporating the software systems in
safety assurance, it is essential to take
account of potentially newer types of
breakdowns and their sources due to the
software. This is done by expanding the
present causality models. Typically the
conventional safety engineering analysis and
the planning of these systems undertake a
model comprising of sequence of actions
wherein one sequence of a failure that
subsequently leads to another sequence of
failure that causes a major breakdown.
Leveson (2012) to contradict this matter
instigated a novel causality model for failures
(STAMP - System-Theoretic Accident
Model and Processes), centered on system
theory that involves an extensive outlook on
the failures.
STAMP redevised safety by considering it as
a control problem instead of consistency.
Yet, the breakdown of the elements was
encompassed, however the failures were
ascribed to ensue when the peripheral
turbulences, or insecure interfaces among
system modules are not sufficiently dealt
with, i.e., meticulous, causing in insecure
system performance. Insecure system
performance is demarcated in conditions of
obligatory performance safety constrictions
not yet undergone. For instance, a distinctive
system safety constriction for a NPP is that
the reactor defense system should at all times
introduce neutron absorbing material into the
center when a reactivity deviance is dreaded
or cooling is scarce. If the constriction is not
implemented, under particular situations,
precede to a deplorable release of
radioactivity into the environment.
To avert mishaps, the system design must
carry out the safety constrictions on system
performance. The tangible course that directs
to the privation of control may be
multifaceted and possibly will include
indirect, non-linear, and feedback
relationships amid the actions and the system
modules.
Safety constrictions stipulate the affiliations
among system variables or modules that
establish the safe and safe system states—
perhaps, the power should not be switched on
when the entrance door to the high-power
source is open, aircraft should under no
circumstances infringe lowest disjointing
![Page 5: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/5.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
necessities; flyers in a war zone should be
competent to ascertain targets as antagonistic
or non-antagonistic; and the public health
system should avoid public contact to filthy
water and food items. In NPPs, frequently
used system-level safety constrictions are
that control shafts need to be implanted into
the center when the reactivity is unrestrained
or when cooling is inadequate. The reactor
should offer adequate amount of cooling to
clear heat and avert mutilation to the reactor,
and a proper fuel covering should be able to
stop leakage of radioactivity. Such complex
performance constrictions can be developed
into more explicit restrictions on the
performance of all the system modules that
collectively will guarantee the system-level
safety constrictions. Mishaps develop from
distinct module performance that encroaches
upon its safety constrictions and from system
module interfaces that interrupt the system-
level safety constrictions.
In addition to the safety restraints, another
vital perception is required in planning safety
as a control problem. In simple systems and
control theory, with the purpose of providing
successful control, the controller should have
a precise model of the course it is monitoring
(See Figure 1). For human regulators, this
model is generally known as the mental
model. Mutually for automatic and human
regulators, the process model or mental
model is expended to ascertain the control
activities that are essential to keep the system
functioning effectually.
The process model comprises of conventions
concerning the operation of the controlled
process and the present status of the
controlled process. Mishaps in multifaceted
systems, predominantly the software
systems, frequently end up in discrepancies
between the model of the process used by the
controller and the tangible process condition
that directs toward the controller offering
insecure control. Commonly, these models of
the controlled system develop to be
inappropriate because of omitting or scarce
response and communication channels. The
software used in the Mars Polar Lander loss
assumed that the spacecraft was on the
surface of the planet and dispensed an order
to detach the inclined engines. In fact, the
spacecraft was 40 meters beyond the planet
surface. A huge number of mishaps relating
to software can be elucidated by erroneous
process models which are also applicable to
human errors. STAMP offers a considerably
more effectual method of planning to
decrease human error instead of handling
human error like machine failure.
![Page 6: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/6.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Devising a safety oriented or investigating
the present plan for safety encompasses
producing and examining the controls that
are employed to implement the safety
limitations to guarantee that they will be
operative in making sure the limitations will
be imposed by the system design. A portion
of designing effectual safety controls is
offering the response and inputs essential to
maintain the consistency of the controller’s
model with the real condition of the process.
A significant feature of recognizing the
negative effects includes ascertaining the
reasons of ineffectiveness of the controller
since frequently the process model employed
by the controller was unsuitable or scanty in
a particular manner. (Refer Fig. 1)
Expending these ideas, Leveson (2012)
formed a novel risk assessment method
known as STPA (System Theoretic Process
Analysis) which recognizes the safety
limitations required to be imposed and to
make sure that the system design effectively
implements them. Further, it recognizes the
necessary process model that the controller
wants with the intention of providing ample
amount of control and consequently the data
essential in that process or mental model. In
case the data is dropped or tarnished,
disasters will happen. STPA is mainly a
demanding technique for inspecting the
control loops in the safety control
configuration to discover impending errors
and the latent for scarce control. For the
STAMP frame encompassing existing
accident models that contain the failure of
elements wherein besides recognizing the
risk conditions, STPA also contains the
reasons not incorporated or managed below
par in the outmoded approaches including
software requirements mistakes, failure due
to element interface, multifarious human
decision-making blunders, scarce
synchronization amid manifold controllers,
and supervision and monitoring decision
making.
USING STPA
STPA chiefly helps in recognizing the safety
control prerequisites. There are four
categories of insufficient control that steer to
accidents:
An essential control action is not given or
not pursued.
A wrong or insecure control action is
delivered.
A possibly safe control action is
presented either ahead of time or tardily,
or in the improper sequence.
![Page 7: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/7.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
A control action that is necessary for
safety is ended in advance.
The outcomes of the investigation can be
noted in a table. A few entities indicate wrong
performance of the system, nonetheless not a
safety problem. If the table is filled for the
risks, the wrong system performances can be
transformed to safety limitations on the
performance of the modules. The challenges
are moderately resolved with this approach.
Further, the rising insecure control activities
must be ascertained wherein the conditions
that lead to the development of these
activities is detected that cause an accident or
failure. STPA is similar to HAZOP that
comprises of a system model while
supervision is given by STPA for checking
the inadvertences in some situations.
Faults in the safety control configuration
recognized by STPA perhaps are employed
to restructure the safety controls.
Consecutively, the model and investigation
methods are made use of for evaluation of the
proposed modifications such as addition or
reinforcement of communication and
response stations so as to guarantee precise
process models and hence amended decision
making. Other modifications include
reorganizing the duties, organizing or
combining omissions, or merely expounding
the conventions and guidelines under which
the system functions.
Some of the prescribed contrasts that were
made between STPA and the traditional
methods like the fault tree analysis; however
STPA seems to be favorable. STPA was
incorporated in the ballistic missile defense
system (BDMS), where it was applied prior
to the deployment and testing of the system.
Using conventional techniques deployment
and testing would typically be overdue to
reduce the risks; however several possible
ways to unintentionally launch were
distinguished. Even though the
circumstances recognized by STPA
comprised of those instigated by impending
failures of the system modules, different
circumstances were likewise found that
comprised of insecure interfaces amid the
elements minus failures.
As per Pereira et al (2006), for carrying out
the evaluation two benefits were prominent:
The endeavor was constrained and
expected to aid the engineers in ranging
the system design. The evaluation was
concluded after the control actions are
verified.
![Page 8: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/8.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
After developing the control structure and
classifying the possible scarce control
actions, it was easier to highlight the
necessary modifications consistent with
which the control actions have the highest
part in maintaining the system from
converting to a risky condition.
Furthermore, as per Ishimatsu (2010)
cautious appraisal of STPA was prepared by
JAXA for the HTV unmanned spacecraft.
However as human life on the International
Space Station is aboard, arduous NASA risk
investigation principles by means of fault
trees and other investigation approaches had
been exercised and appraised by the NASA
authorities. Shortly, STPA was tested and
implemented to the same system in an
assessment of the method for prospective
usage at JAXA. The aspects causing the risks
in the fault tree analysis were determined by
STPA.
RESEARCH OBJECTIVES
The objective of this research is to validate
the usability, viability, and comparative
effectiveness of expending STPA in the
licensing of digital NPP. STPA has the
probability to increase the present analysis
and authorization or licensing management
with the purpose of offering resources to
measure risks related to the digital
technology in NPP and tools to weigh the
degree to which these risks are amply
alleviated by the system architecture and to
produce references for safety-driven
enhancements when necessary. STPA is
anticipated to be a successful technique at the
management level.
A BRIEF STPA TUTORIAL
STPA comprises of a distinct array of
isolated processes to institute the system data
for the investigation, classifying insecure
control actions, and detecting the sources of
risky control. The outcomes may be
employed to create safety prerequisites and
scheme safer systems. Also, the outcomes
will apply when a system previously subsists,
to assess it pertaining to safety. To initiate,
the specialists must ascertain the accidents
with which they are affected and the risks
associated to those accidents and then build a
model of the safety control structure.
DETECTING ACCIDENTS
Prior to initiating the STPA, a contract
regarding the system-level harms and
accidents will be measured. The harms every
so often comprise of damage to human life,
nevertheless any damage can be
encompassed that is undesirable and should
be averted. For instance, financial shortfalls
including broken tools and an operation
![Page 9: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/9.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
damage is indicated. The damages that are
contemplated in a NPP are the detrimental
radiation to the people outside as well as
within the plant, defiance of electric power,
intolerable damage of the equipment and
tools and the like. Examples of accidents are
depicted in (Refer Table 1).
The accidents should delineate the eventual
result that requires to be averted and not a
transitional episode. Consider damage of the
coolant which is not a system-level accident
as it does not define the anticipated results
which should be prohibited.
DETECTING SYSTEM RISKS
Detection of the system risks takes place after
the diversity of accidents has been
demarcated. Risks are an array of conditions
that lead to an accident when assimilated with
an unmitigated condition. All the risks are
related to the accidents that befall. The
accidents in which people are subjected to the
toxicity of the chemicals from a chemical
plant impinge upon various aspects which
may be internal or external. The related risks
of this accident should delineate the aspects
that can be regulated in the system design.
While risks cannot be regarded as failure,
risks are the factors that lead to failure.
However, all risks do not lead to failure of the
system i.e. in several cases failure of the
system is due to external conditions such as
an earthquake, tsunami and the like.
After the accidents have been distinguished
for different risks in the system, the overall
examination of the system reflects upon all
the risks in depth and detects the associated
underlying aspects and conditions. As
accidents and risks define the interface
concerning the system and the corresponding
environment, there is trivial need for the
system to ascertain them. Risks can be
regurgitated as the safety checks that should
be imposed to avoid the risks and further the
accidents that are caused by them.
MODELING THE SAFETY CONTROL
STRUCTURE
The safety control structure is a well-
designed control model that accentuates the
system safety, and the approaches that
implement the safety. During the design
phase of the system, the model that is
preliminarily designed are complex and
further must be distinguished when the
design decisions are made, preferably
expending the outcomes of the STPA risk
evaluation.
A safety control structure is designed in the
form of a hierarchy, in which the controllers
at the upper levels function to accomplish
![Page 10: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/10.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
their duties by supporting control actions that
influence the lower level controllers. Figure
2 indicates a general control structure that
comprises of system development as well as
operation. Response is given by lower level
modules which are utilized by the controllers
in the upper level to choose the control
actions to offer in the following sequence.
(Refer Fig. 2)
The customary risk assessment techniques
are characteristically restricted to the
operation while at certain times, do not
involve the operator. Nevertheless the
sociotechnical system contributes as a
significant function in stopping accidents. As
the hierarchical control structures consist of
organizational, supervisory, industrial, and
human constituents, STPA will be easy to
examine other factors that contribute to
accidents which are not incorporated in usual
examinations. Outlining the safety control
structure for an explicit system encompasses
ascertaining the controllers/constituents and
their tasks for safety such as Aviators are
accountable for accurately performing all
directives from air traffic control and
automatic systems are accountable for
conserving process parameters in definite
boundaries. Figure 2 indicates a high-level
control structure, however all this structure is
further distinguished into a comprehensive
substructure. For instance, Figure 3 illustrates
an example control structure for the
Operating Process section of Figure 2. For
the reason that STPA is a top-down process,
control structures are demarcated at a
complex level of notion and at that juncture
improved. (Refer Fig. 3)
Lastly, process models likewise should be
drawn. The process models are employed by
the controllers to ascertain the control actions
essential to accomplish their duties. Thus, the
process models should comprise of the
relevant data required by the controller to
compel safe decisions. The safety control
structure is an influential technique to
characterize the safety design of multifaceted
systems and beneficial outcomes are
generated at the initial phase of the
investigation. Faulty process models,
intersecting accountabilities, and
contradictory control actions are evidently
significant providers of an accident. While
these factors are observed comprehensively
in the later stages of the STPA evaluation,
several glitches are discovered at in this
phase by means of a straightforward
investigation of the control structure. In case
a controller’s process model needs data
which is not given in a response, there is a
![Page 11: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/11.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
possibility of devising a faulty design. Figure
4 illustrates a segment of the control structure
with accountabilities and process models for
a train door control system. (Refer Fig. 4)
DETECTING INSECURE CONTROL
ACTIONS (STEP 1)
All the controllers in the system are able to
dispense control actions. This phase
examines all control actions to conclude the
likelihood of the safety of an action, i.e.
instigate a system-level risk.
SIMPLE TECHNIQUE
Four categories of Unsafe Control Actions
(UCA) are likely:
A control action essential for safety is not
offered
An insecure control action is presented
that point to a risk
A possibly safe control action is given
either initially is overdue, or out of
sequence
A safe control action is ended initially or
was implemented extensively
An easier way of detecting UCA is to observe
all the control actions in the control structure
for all the possible risks from which the
aforementioned UCA of these four categories
are determined. The different risks
contemplated are the train starting the
movement with an opened door or a door
unbolts during the movement or is not lined
up with a station platform or a door shuts
when a person is passing through the door
and during emergency doors not opening.
(Refer Table 2)
To understand the severity of a UCA is risky,
it is essential to avert the assumptions such as
several risk impediments are present or are
error-free. For instance, in case of a physical
interconnection which avoids the actuator
from opening the doors of the train during
motion, it is be that as it may regarded as
risky to offer the ‘door open’ command. The
investigation is considering the risky
behavior that is a source for risk in a bad
condition such as the physical
interconnections are non-functional.
However, there exists no necessity that
insecure behavior should be causing risky
situation or an accident. In the examination
that supposes that other risk impediments are
continually functioning and ample, then no
behavior shall be deliberated to be risky.
Rather, the system components must perform
that the other risk impediments are
unnecessary. The approach for ascertaining
the UCA is easy with respect to the
![Page 12: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/12.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
performance, and gives a perceptive mode to
share the outcomes. A more methodical
technique will be supportive in meticulously
categorizing the UCA as described in the next
section.
SYSTEMATIC METHOD
The basis of employing this technique is to
identify that a control action is not risky by
itself. For instance, the control action
opening the doors of the train may perhaps be
safe but on some occasion it may be unsafe.
To find the severity of this risk, it is
indispensible to principally classify the
background in which the action occurs.
Opening the train doors during motion is a
UCA, while the doors opening after the train
has stopped a safe control action which
depicts the right system performance. As the
process model acquires the data required by
the controller for awareness to meet the
safety requirements, the background in a
UCA will each time be disintegrated into
variables and values that emerge in the
process model or in the communication of the
data to the controller from its peripheral
location. (Refer Fig. 5)
Besides the background, there exist many
other constituents that frame a UCA. By
disintegrating UCA into numerous
components (as seen in figure 5), it is
conceivable to chiefly focus on recognizing
all the elements in the safety control structure
and at that juncture reflect on assimilating the
different components to practice UCAs.
(Refer Table 3) A sample table with type
provided is shown in table 3. The initial step
of this technique is to choose a control action
and create a background table. The first
column will specify that this table examines
the control action. The subsequent three
columns signify the process model variables
for the chosen control action. All the rows are
filled with a distinctive arrangement of
process model values. All the rows will be
analyzed to ascertain the risks of the control
action in regard to the background and the
corresponding findings are noted. For every
risk that has been determined, is an UCA that
can be chronicled in a summary table. The
subsequent step is to interpret the UCA into
safety checks. A sample table with type not
provided is depicted in (Refer Table 4).
INTERPRETING UCA INTO SAFETY
CHECKS
UCA must be interpreted to ensure that
accidents do not befall. This interpretation is
objectively upfront and typically includes
upturning the diction of the UCA. For
instance, a UCA is to command the doors to
open during the movement of the train. The
![Page 13: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/13.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
safety check for this UCA will be to not let
the doors to open during movement. The rest
of STPA inspects the control structure to
detect the safety checks that were found
which may be defied.
DETECTING CAUSAL FACTORS
(STEP 2)
After demarcating the safety checks,
subsequently the causal factors must be
ascertained which may steer towards an
encroachment of the safety check. Figure 6
indicates the classification of causal factors
on the basis of two approaches on which
safety restraint can be disrupted:
1. The controller gives an UCA: All the
causal factors that may give rise to an
UCA should be recognized. For instance,
a UCA where a command will open the
door of the train during the movement may
be due to the errors in the process model
of the controller. The controller perhaps
supposes that the train has halted even
though the train is in movement. This error
may be because of incorrect response
obtained from a component such as a
speed indicator indicating the speed as
zero although the train is in movement.
The erroneous response from the speed
indicator probably was caused due to a
defective sensor. (Refer Fig. 6)
2. Proper control actions are given but not
pursued and all the cases should be
regarded to ascertain all the causal factors
that are headed towards violating the
safety checks: The causal factors further
should be similarly determined which will
result a violation of the safety limits despite
providing a safe control action. For the safety
limit wherein the doors should not be opened
during the movement of the train, the
evaluator must keep in mind that the door
may open despite the absence of the UCA.
This behavior is likely the outcome of the
actuator failure, by one more controller, or a
difficulty with the controlled process.
EXPENDING CAUSAL FACTORS
The causal factors are employed to prepare
the safety prerequisites for a comprehensive
improvement of the design or to generate
design structures to remove or alleviate the
causal factors heading towards risks. The
reduction of the risks will require no
improvement. In the case of a subsisting
design, the causal factors that were
determined for this design must be properly
controlled. In such situations, interlocks must
be contemplated. Frequently occurring
failures which perhaps are common will be
known of the causal factors are known.
![Page 14: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/14.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
ITERATING THROUGH THE SAFETY
CONTROL STRUCTURE
The STPA process is mostly utilized initially
at a high-level by means of a multifaceted
control structure with intangible control
actions and response channels. Considering a
control structure could signify a flight staff as
a single controller with multifaceted control
actions such as execute maneuver and abort
maneuver. A multipart software system may
possibly be exemplified by a single controller
regarded as engine controller with
rudimentary control actions such as increase
power and decrease power. After the
evaluation of all the controllers at a
theoretical level, a highly comprehensive
control structure can be created to examine
the lower-level design information. All the
steps of the STPA process should be operated
in an iterative, top-down manner to improve
the safety limitations as required. If the risks
are reduced, more improvement is not
required as the amount of improvement
required is essential for alleviation processes
to be explicit to the concerns.
CASE STUDY
The case study for this research includes
implementing STPA to a standard type of an
Evolutionary Power Reactor (EPR), which is
a Pressurized Water Reactor (PWR). The
EPR reactor is completely digital wherein the
control systems together with the Reactor
Protection System, are also digital. The
evaluation emphases on a sub-set of the NPP
system—the systems implicated in finishing
the Main Steam Isolation Valve (MSIV)
which can be executed for the remaining
system. The coolant in a PWR when
functioning normally transmits the heat from
the reactor to the steam generator (SG), a
radioactive, which comprises of water to cool
off the primary coolant and disperses the
water into steam. The SG ideally averts the
water from merging with the coolant and the
steam journeys to the turbine that is coupled
with a generator for power generation. The
steam is cooled in the condenser and
propelled back into the SG to re-instigate the
cycle. The loop made by the SG, turbine, and
condenser is called the secondary cooling
system. A general illustration of a PWR is
presented in (Refer Fig. 7).
A controller placed on the principal steam
line is MSIV which is left exposed to allow
cooling of the major cooling system by
means of a secondary system. If there is a
strange circumstance, the MSIV will be shut
to detach the SG from the remnants of the
secondary system. MSIV shutting is
obligatory in the event of a breakdown in the
![Page 15: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/15.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
principal feed-water pipe which enables
water to outflow. The shutting of the MSIV
averts the secondary system from amply
cooling the primary system and redundant
systems are offered in order to cool the
primary coolant. Such systems include
additional SGs, turbine bypass valves, main
steam relief isolation valves (MSRIV) and
main steam relief control valves (MSRCV),
safety relief valves (SRV), the Chemical
Volume Control System (CVCS), and the
Emergency Core Cooling System (ECCS).
Further these systems are encompassed in the
investigation until they influence the result to
shut the MSIV down. The evaluation of
STPA that is being pursued, initiates with the
detection of the accidents, risks and control
structure for the general system. The left over
steps center on the systems associated with
the shutting of the MSIV.
ACCIDENTS
In the detection of accidents such as radiation
exposure, explosion, or any other
mechanism, which is the foremost action is
significant as accidents generally include
damage to human life and thus such damages
should be averted. The damage caused to the
people of which the severity is the loss of life,
comprises of the workforce as well as the
overall inhabitants. Furthermore, the
accidents that effect the environment such as
radiation and detrimental discharge of toxics
to the air, ground, and groundwater damage
the environment to a greater extent. Next is
the damage of the equipment that denotes the
financial shortfall linked with destruction and
impairment to the equipment and machinery
used irrespective of the radiation discharged.
Lastly the cost of electrical power generation
takes in the inadvertent halt of the plant.
Table 5 presents the system-level accidents
that are examined in this study. (Refer Table
5)
Significances are allocated since all accidents
may not be vital. Moreover, all the accidents
cannot happen at the same time, and indeed it
is conceivable to know that all the
aforementioned damages may ensue at the
same time. To conclude, financial damage
including the equipment damage and the cost
of electrical power generation could not be of
fast response particularly in a licensing
review or a customary safety examination,
then it is definitely a matter for the efficacy.
The STPA model may possibly be employed
in case of any category of damage which
seems imperative during the evaluation.
Including the diverse categories of damages,
like the operation or financial damages, will
let enhanced decision making pertaining to
![Page 16: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/16.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
accomplishing manifold necessities as well
as support in recognizing and formulating
balances between contradictory objectives.
SYSTEM RISKS
After the delineation of the system accidents,
the risks will be recognized as shown in Table
6 which reviews the risks that are
encompassed in the evaluation and the
accidents associated with them. (Refer Table
6) The first risk is concerning the discharge
of toxic materials that may affect the
periphery of the primary system, irrespective
of magnitude, and the corresponding
discharge into the secondary cooling system,
groundwater, and air which is internal or
external to the control structure. The
discharges must be regulated to avert the
people and the nature to come into contact.
The next risk may possibly be a precarious
circumstance which leads to system-level
accidents or A-1 and A-2 accidents. Despite
the fact that this risk might occur devoid of
an accident, it is detrimental and hence
requires controlling. The third risk
encompasses of operation further than the
safety parameters that bases reactor damage
and operation past design parameters that
lead to damage of the equipment. The last
risk involves an unintentional halt which
leads to the loss of electrical power
generation.
SAFETY CONTROL STRUCTURE
The advanced safety control structure
established for this research is depicted in
Figure 8. The constituents within the dashed
red box regulate the shutting of the MSIV.
They are examined comprehensively for the
rest of the case study. Figure 9 illustrates a
highly broad control structure for the systems
underlined in the dashed box. The dotted
green arrow signifies the interaction between
the MSIV controllers and other controllers.
As seen in the figure, the Protection System
(PS) links the Safety Control System (SCS)
with the purpose of starting the Engineering
Safety Features (ESF) controls subsequent to
the ESF actuation. The Reactor Controls
(RC) controller similarly interacts with Non-
Safety System Controller (NSSC) so that the
command signals for actuators used in RC
tasks except control rods are offered, like the
BMC (Boron and Makeup Control)
components for Boron control. (Refer Fig. 8)
The controllers that will deliver a control
action to shut the MSIV are the Operator, the
NSSC, the PS, and the Diverse Automation
System (DAS). The controllers direct control
actions to the MSIV Priority Module (PM)
that makes use of a pre-programmed
![Page 17: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/17.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
precedence condition to ascertain the control
actions which will pass on to the MSIV
actuator. In the event of detection of a
necessity to shut the MSIV, the operator may
dispense a ‘Close MSIV’ command to the
PM. The PM regulates the controller which is
responsible as per the precedence, and passes
on the commands straight to the MSIV
actuator. Since NSSC offers a manual control
for the MSIV, hence the operator also
dispenses the close command to it. (Refer
Fig. 9)
When in such circumstances, the NSSC will
generally passes on the close command to the
PM that will eventually pass it on to the
MSIV actuator. Since the PS is automatic, a
Close MSIV command is essential. Lastly,
the DAS which is a substitute system for
safety can be employed in case of an issue
with the PS. The DAS will send a Close
MSIV command to the PM that will pass on
the command to the MSIV actuator.
A sensor is required to give a response
pertaining to the MSIV status right to the PM.
However the sensor is not necessarily sensing
the process variables including pressure,
temperature, or steam flux. In its place, the
sensor senses the torque that was used in the
valve to ascertain the status of the valve. The
PM gets this response and further gives the
authorization to the controller that initially
demanded the shutting of the MSIV.
However, there are several process sensors
that state process variables to the controllers
such as pressures, SG water level, and the
operation of substitutes. Then each of these is
utilized by the controllers to ascertain
shutting of the MSIV. The controllers have
the below duties:
OPERATOR
Authenticate or impede permissive.
The plant must be brought to a controlled
stoppage for fear of Anticipated
Operational Occurrence (AOO) or
Postulated Accidents (PA), for instance
outflow from primary into the secondary
loop.
Start the safety engineering features
(ESF)
Commence the main steam line seclusion
whenever required
Observe the parameters that will
accentuate the irregularities or tendencies
Activate the plant in startup
![Page 18: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/18.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Work the plant when there is automated
stoppage
Intercede in line with the inscribed
instructions during an emergency
PS - PROTECTION SYSTEM
The plant must be brought to a controlled
stoppage for fear of Anticipated
Operational Occurrence (AOO) or
Postulated Accidents (PA), for instance
outflow from primary into the secondary
loop
Start the safety engineering features
(ESF)
Commence the main steam line seclusion
whenever required
DAS - DIVERSE AUTOMATION
SYSTEM
Similar to PS. DAS is a substitute for PS.
NSSC - NON-SAFETY SYSTEM
CONTROLLER:
Forwarding the open/close MSIV
command to PM on obtaining the
command
In case of obtaining the response from
PM, the same must be sent to the
Operator
PM - PRIORITY MODULE
Provide access to control commands in
line with the precedence PS > DAS >
SCS > Operator > NSSC
Pass the commands to MSIV actuator
Pass the response from MSIV actuator to
the active controller
Make sure that checkback command is
obtained when MSIV is shut
Verify for issues with MSIV actuator
functionality
PROCESS MODEL VARIABLES
The controllers that require detailed
information to choose the control actions
obtain assistance from the process model
variables. Each process model variable
perhaps will be related to the corresponding
control action. For closing the MSIV, the
objective of the MSIV must be delineated.
MSIV continues to be open when the plant
functions in the usual manner and controls
only some of the irregular cases. The
pertinent irregularities are a consequence of
the risks and the depiction given below:
![Page 19: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/19.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Steam generator tube rupture—it results
in an unrestrained SG level upsurge and
will discharge polluted liquid into the
secondary system
Steam system piping leak—it results in
depressurization of the SG that further
leads to overcooling transient and
energy discharge into containment
Feedwater system piping leak—it causes
depressurization of the SG as above.
Despite the fact that these circumstances can
be instigated by physical malfunctions, the
last two are be produced by design errors and
insecure commands in another place in the
system. For instance, a leakage in the main
steam line may possibly be produced by a
physical error or the main steam relief valves
are left open accidentally at the wrong time.
In these situations the shutting of MSIV is
necessary in order to avert the
depressurization and an overcooling transient
until the problem can be overcome. Besides
vindicating the situations abovementioned,
the MSIV likewise controls the heat
exchange which ensues inside the SG. Prior
to closing the SG, several systems are
required to be involved in delivering ample
cooling. Hence, there is a necessity to know
in detail regarding the cooling that is offered
by other systems so that the MSIV can be
shut accordingly.
UNSAFE CONTROL ACTIONS
While bearing in mind the ability of control
action to be insecure, it is highly essential to
avert the conjecture that other protection
fences are undamaged and are apt, ample and
there are no errors. For instance, if the
emergency feedwater system must offer the
required cooling in case a relief valve was
accidently opened, it is risky to
unintentionally command the relief valve
open. Such actions are necessitated to be
encompassed in the investigation and
prohibited irrespective of other protective
systems that are anticipated to alleviate
precarious behavior. Table 7 abridges the
UCA recognized for the command Close
MSIV. A controller and control action were
designated foremost in this process. The
operator and the control action Close MSIV
were investigated principally while the
findings pertain to other controllers in the
system as well. A background table was then
fabricated for the control action by means of
the conforming process model variables that
were distinctive earlier. Table 8 shows the
background table for Close MSIV provided.
(Refer Table 7)
![Page 20: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/20.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
In the Table 8, the first column describes the
control action that will be examined and the
columns 2 to 5 relate to the process model
variables that were detected previously.
Column 6 postulates the backgrounds in
which it is risky to provide the Close MSIV
control action. For instance, row 1 refers to a
condition wherein there is a risk in closing the
MSIV i.e. if there are no SG tube ruptures, no
main feedwater pipe leakages, and no main
steam line leakages. Closing the MSIV will
trigger H-4 – reactor shut down. In case other
systems do not form the extra heat exchange
that is necessary, shutting the MSIV may
instigate a damage of the required cooling
(H-2 in row 9, column 6).
If other systems are able to generate the extra
cooling in the times of a rupture/leakage,
closing the MSIV is not dangerous (rows 2-
8, column 6) and a reactor closure is
instigated despite MSIV actions. On the
contrary, closing the MSIV may produce
other threats (rows 10-16, column 6) together
with disproportionate temperature upsurge
(H-2), discharge of radioactive materials (H-
1), an instantaneous reactor closure or
SCRAM (H-4) if not previously generated,
and added equipment loss (H-3). Contingent
on the category of rupture, it may essentially
be safer to leave the MSIV open to control the
temperature of the reactor (H-2) albeit that
will allow certain radioactive steam to be
brought together into the secondary system
(H-1). (Refer Table 8)
The last two columns in the table make
allowance for timing information. In case a
rupture/leakage exists and other systems are
sufficient, then it is not dangerous to close the
MSIV (rows 2-8). Conversely, if the MSIV is
closed belatedly then it is dangerous. In the
event of steam generator tube rupture, large
amounts of radioactive coolant possibly will
be by this time discharged into the secondary
system and the environment (H-1). If there is
a leakage in steam line, disproportionate
steam will be discharged that affects cooling
(H-2). If the steam line or feedwater pipe has
a leakage, the SG will be desiccated and there
may be equipment loss (H-3). However,
shutting the MSIV ahead of time too will be
dangerous in specific circumstances. For
instance, in the event of rupture of the steam
generator tube, the SG pressure must be
reduced afore the shutting of the MSIV. Else,
if the MSIV is shut in advance after a SG tube
rupture, then the SG pressure and
temperature will rise and possibly will result
in the loss of equipment to the SG, SG piping,
or other systems (H-3).
![Page 21: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/21.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
The circumstances that are expended to
describe UCA may not be the same as
contexts that are inherently unsafe. The tables
in this section are used to examine controller
behavior and control actions in many
conditions, not to examine the circumstances
that are dangerous by themselves. For
instance, row 1 column 6 of Table 8 is
indicated as dangerous as the control action
Close MSIV will lead to an accident if
offered in such situations, despite the fact the
circumstance by itself i.e. without any
ruptures/leaks does not designate anything as
precarious. Contrariwise, the background in
row 2 entitles a steam generator tube rupture,
however column 6 is not labeled as
dangerous as closing the MSIV is not a
dangerous behavior in that circumstance.
Indeed, closing the MSIV is unerringly must
ensue in that circumstances to avert an
accident.
While as long as a control action can be
dangerous, not offering a control action can
be correspondingly dangerous. Table 9
indicates the background table for not
providing the Close MSIV control action.
Equally as discussed formerly, a reactor
closure must be commenced for every
rupture irrespective of the MSIV control
action. Nonetheless, for the reason that these
tables are employed to classify UCA, only
risks that are influenced by a nonexistent
Close MSIV control action are itemized at
this period of the examination.
In the event of no rupture/leak, leaving the
MSIV open is not dangerous (rows 1 and 9).
On the contrary, if there is a rupture/leak,
diverse risks may be faced contingent on the
segment of the system impacted. In case the
SG tube is ruptured and the MSIV is not
closed, radioactive material will be on the
loose into the secondary system (H-1) and the
SG water level possibly will rise
irrepressibly. An unrelenting discharge of
primary coolant will cut the efficacy of the
primary cooling system (H-2), and the
discharge of radioactive material into the
secondary system could produce equipment
loss (H-3). Uncertainty of the main steam line
for a leakage and the MSIV is kept open,
undue steam can be on the rampage
instigating an overcooling transient and
overcompensation by other systems to upturn
reactivity (H-2). Too much steam discharge
can likewise drop the SG water level,
triggering possible equipment loss if the SG
is desiccated (H-3). In case of leakage of the
main feedwater pipe and the MSIV is open,
the SG can be depressurized affecting an
![Page 22: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/22.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
overcooling transient and water level might
fall, heading to H-2 and H-3. (Refer Table 9)
In a circumstance where there is a SG tube
rupture, leaving the MSIV open will trigger
besides equipment loss, instantaneous
closure (H-4) by means of SCRAM and can
rise the quantity of time the plant probably
requires continuing to be closed for
maintenances. The overloading of the SG
might let the water to come in the steam lines,
injuring the fragile turbine pallets and
demanding large amount of time for
mending. Moreover equipment could be
burdened and need extra comprehensive
checkups in advance of the plant to be
functional for a second time. The surplus
pollution might too need extra time to
fumigate and subsequently produces more
waste. Since leaving the MSIV open
throughout a SG tube rupture may affect into
an austere and extended closure than could
actually arise with a controlled SG tube
rupture, H-4 is encompassed in Table 9 for
such circumstances. H-4 is not recorded for
other situations as it is presumed that leaving
the MSIV open after a leakage in the main
steamline or main feedwater pipe may not
produce such a closure than if the MSIV is
closed, while it does influence other dangers
indicated.
Perceive the objective of studying the tables,
the motivation for all the “hazardous” vs.
“not hazardous” judgments ought to be
recognized in the examination. Indeed, the
background tables are helpful in
substantiating that the essential justifications
and conventions are recognized, as
contrasting the ad-hoc documentation of
dangerous control actions that possibly will
instantaneously reduce and overlook safe
control actions completely. Undeniably, the
safe rows can simply be skipped from the
tables, though, recording the inferences
concerning the dangerous behavior will be
imperative for recording the behavior that is
anticipated to be safe. Such records could be
particularly essential for other enduring
project aims similar to future change
management undertakings, design reuse in
fresh settings, and other deliberations that
ascend in the future in the system life cycle.
Contrasting the Tables 8 and 9, there exist
clashes that need to be settled. In both tables,
rows 10 to 16 are graded as hazardous. In
these circumstances it is dangerous to shut
the MSIV, but also it is dangerous to leave it
open. In certain circumstances, it is
conceivable to reconsider the design to
remove the clash and offer a protected choice.
In case it is not possible to settle the clash, a
![Page 23: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/23.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
choice should be finalized concerning the
action that is essential in such environments.
The option which may evidently be less
dangerous will be selected. In this research,
subsequent to discussion with nuclear
engineers and regulators, the rows 10 to 16
were said to be unexamined in the
investigations held earlier in regard to MSIV
control. However, the agreement was to
accept that it is better to leave the MSIV open
in the circumstance of row 10 to make the
most of the expanse of cooling, while this
will pollute the secondary cooling system and
sooner or later necessitate expensive
upkeeps. Rows 11-16, contrariwise include
leakages in the pipe providing water to the
steam generator and the line that transmits
steam away. In case the MSIV is not closed
in such conditions, the water quantity in the
steam generator will drop and in due course
indicate low cooling ability or an overcooling
transient. Hence, in such conditions (rows
11-16), it was anticipated that it is better to
leave the MSIV closed to get the most out of
the expanse of cooling even if it is a
momentary resolution. These elucidations
were unearthed to contrast from present
designs of MSIV controllers that do not
undertake on the basis of the condition of
other systems and might inevitably close the
MSIV in the course of a rupture.
The above conventions ought to be appraised
and assessed prudently by the area
connoisseurs. The principle of this case study
was to design and implement an assessment
of the accidents that can reveal dangerous
control and be responsible for the safety-
critical problems which should be reflected.
The Tables 8 and 9 utilize multifaceted
backgrounds; the investigation likewise
should be implemented comprehensively.
During such circumstances, there are other
control actions that must occur externally to
the MSIV control loop and hence they should
also be examined in the same manner.
Furthermore, attempts must be made to avert
several circumstances from occurring.
Granting such extra exertions were far from
the possibility of the case study, they are
stated to indicate splitting of the investigation
into other areas of the system to report the
concerns recognized.
SAFETY CONSTRAINTS
All the UCA from Table 7 can be transformed
into safety constraints as depicted below in
(Refer Table 10).
CAUSAL FACTORS
As defined in Section 2.6, there are two
options that a safety limitation can be
disrupted:
![Page 24: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/24.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
The controller offers a UCA
Suitable control actions are offered but
not pursued
The underlying factors shown in Figure 6 are
used for the investigation in this case study.
The subsequent segments examine the two
cases for the Operator, DAS, and PS.
OPERATOR CAUSAL FACTORS
Factors heading to Operator UCA: Here
the fundamental factors that instigate to UCA
are described (Table 10). (Refer Fig. 10)
UCA 1: Close MSIV command was not
offered at the time of a leakage (rupture in the
SG tube, link in main feedwater, or leakage
in main stream line) and the support systems
were sufficient.
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY FEED
WATER SYSTEM)
Parallel circumstances conceal other
circumstances. For instance, a feed water
issue possibly will occur happen
corresponding with a SGTR, instigating
the SG water level to be in steady mode.
Conditions that entail MSIV closure are
concealed. For instance, NSSC involves
PZR heaters to put together for the
damage of RCS pressure throughout the
operation of SGTR.
The developments of the occurrence are
time-consuming
PROCESS FEEDBACK
SG level feedback lost, overdue, or
unfitting
SG Pressure is not true or deferred
Steam generator water level is overdue or
improper
Main steam line not given the right
indication
Inconsistent data specifies an incorrect
condition
Voting system does not function right and
offers incorrect evaluation
No sign of fractional cool down
commenced
Botches in sensors, communication lines,
or power
PM reports both MSIV actuators as not
workable even when they are
PM reports MSIV already being closed,
when it is not
![Page 25: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/25.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
NSSC reported as functional when it is
not
OUTSIDE INFORMATION
PZR pressure overdue or lost
PZR level wrongly shown as normal
No warning for SI introduced
Belated sign of SI is instigated
Unsuitable permissive operational
Erroneous amalgamation of pointers
from the 4 partitions
OPERATOR
Operator assumes that the Steam
Generator is not damaged when it is
Operator assumes the main steam line has
no outflow when there is
Operator assumes the main feedwater has
no leakage when there is
Operator disordered concerning the
method to be used
Operator bemused due to inconsistent
pointers
Operator disinclined to close the reactor,
uncertain if closure is essential and
reasonable
Operator in stress not to falter the reactor
Operator pauses for the PS to deal with
the condition
Operator is unaware of the difficulty
attributed to insufficient response
Operator is not attentive because NSSC is
broken or providing scanty information
Operator closes the wrong valve
Operator identifies the rupture/leakage
but assumes that other systems are scarce,
and leaves MSIV open to sustain ample
cooling capability.
Operator indefinite about a
rupture/leakage
Operator assumes that NSSC is
functioning when it is not
UCA 2: Close MSIV command not provided
when there is a main feedwater or main steam
line leakage and other systems are scarce.
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY
FEEDWATER SYSTEM)
![Page 26: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/26.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Contemporaneous circumstances conceal
others
Circumstances that need MSIV closure is
concealed
The development of the occurrences are
time-consuming
PROCESS FEEDBACK
SG level response lost, overdue, or
inappropriate
SG Pressure are incorrect or overdue
Steam generator water level overdue or
inappropriate
Contradictory data signifying an
incorrect circumstance
Voting system does not function correctly
and provides erroneous measures
No sign of partial cool down instigated
Botches in sensors, communication lines,
or power
PM describes MSIV actuators as
unworkable even when they are
PM describes MSIV at present closed,
when it is not
NSSC describes as working when it is not
OUTSIDE INFORMATION
PZR pressure overdue or lost
PZR level erroneously specified as
normal
No sign of SI started
Overdue sign of SI started
Unsuitable permissive working
Incorrect amalgamation of pointers from
the 4 divisions
OPERATOR
Operator assumes that the main steam
line has no leakage when there is a
leakage
Operator assumes that the main feedwater
has no leakage when there is a leakage
Operator assumes that the SGTR does not
need MSIV shutting when there is really
a main steam line or main feedwater
leakage that entails the shutting of MSIV
Operator disordered concerning the
method to be used
![Page 27: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/27.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Operator disordered due to clashing
pointers
Operator averse to close the reactor,
uncertain if closure is essential or
reasonable
Operator in stress to not to trip reactor
Operator pauses for the PS to deal with
the circumstances
Operator is unaware of the issues
attributed to scarce response
Operator is unaware as NSSC is defective
or giving insufficient data
Operator closes the incorrect valve
Operator identifies the rupture/leakage
but since other systems are insufficient,
leaves MSIV open to sustain ample
cooling ability.
Operator uncertain whether a
rupture/leakage is present
Operator assumes that the NSSC is
functional when it is not
UCA 3: Close MSIV provided when there is
SGTR but other systems are insufficient
SECONDARY COOLING SYSTEM
A simultaneous condition can conceal
another, other support systems may seem
to be sufficient and automatic systems
could intensify the condition.
Loss of power
PROCESS FEEDBACK
SG level response is not given, overdue
or wrong
SG Pressure are incorrect, overdue or lost
Steam generator water level incorrect,
overdue or lost
Contradictory data signifying an
incorrect circumstance
Voting system does not function correctly
and provides erroneous actions
Botches in sensors, communication lines,
or power
OUTSIDE INFORMATION
Incorrect amalgamation of pointers from
the 4 divisions
PZR pressure overdue or lost
Incorrect signal SI started
OPERATOR
![Page 28: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/28.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Operator assumes that other systems are
operating when they are not
Operator assumes that there is a main
steam line or feedwater leakage when
there is really an SGTR
Operator discerns that the support
systems are functioning, however does
not comprehend they are scarce
Operator muddled concerning the method
which will be used
Operator does not understand other
support systems are not functioning
Operator muddled due to contradictory
pointer
UCA 4: Close MSIV provided too early
(while SG pressure is high)
SECONDARY COOLING SYSTEM
A simultaneous circumstance can conceal
other
The development of the occurrence is
time-consuming
Actuation of NSSC might obscure
Operator
PROCESS FEEDBACK
SG level response not given
SG Pressure is incorrect
Steam generator water level not properly
specified
Main steam line activity incorrectly
specified
Contradictory data signifying an
incorrect circumstance
Voting system operates incorrectly and
provides incorrect actions
Sensors failure
OUTSIDE INFORMATION
PZR pressure overdue
PZR response lost
Wrong response specifies PZR level is
normal
No sign of SI started
No sign of fractional cool down started
Permissive incorrectly in effect
Incorrect amalgamation of pointers from
the 4 divisions
OPERATOR
![Page 29: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/29.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Operator assumed that it is now safe
to start action subsequent to the signs
to approve SGTR
Operator assumes that it is now safe
to start action subsequent to signs to
approve Main steam line break
Operator assumes that it is now safe
to start action subsequent to signs to
authorize main feedwater break
Operator muddled concerning the
method to be used
Operator muddled due to the
contradictory pointers
UCA 5: Close MSIV command provided too
late after rupture/leak (in the SG tube, main
feedwater, or main steam line)
SECONDARY COOLING SYSTEM
A simultaneous condition may conceal
other
The development of the occurrence is
time consuming
Actuation of NSSC will disorder the
Operator
PROCESS FEEDBACK
SG level response not given
SG Pressure is incorrect
Steam generator water level overdue
Main steam line activity incorrectly
specified or overdue
Contradictory data representing a wrong
condition
Voting system works inappropriately
giving incorrect measures
Sensor failure
PM describes MSIV actuators as not
functional when they are
PM describes MSIV as now closed, when
it is not
NSSC describes as functional when it is
not
OUTSIDE INFORMATION
PZR pressure overdue
PZR response lost
Wrong response designates PZR level is
normal
No sign or overdue signal of SI started
![Page 30: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/30.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
No sign or overdue signal of fractional
cool down started
Permissive incorrectly in effect
Erroneous grouping of pointers from the
4 divisions
Screen is blank or frozen/NSSC or PS
gives no response
OPERATOR
Operator assumes it is insecure to start
the action after SGTR is verified
Operator considers it is insecure to start
action after main steam line leakage is
established
Operator considers it is insecure to start
action subsequent to the authorization of
the main feedwater leakage
Operator muddled regarding the method
to be used
Operator muddled due to contradictory
pointers
Operator averse about shutting down the
reactor
Operator stressed for not tripping the
reactor
Operator has a clash amid being
conventional with ambiguity of SGTR,
or to work that is anticipated, viz. to
delay for the automatic system to clear
the problem
Operator delays for the PS to deal with
the circumstances and does not act in
time
UCA 6: Close MSIV provided when there is
no rupture/leakage
SECONDARY COOLING SYSTEM
Feed water supply pumps inoperable
Condenser leaking
Excessive mud in water
Items in water that can weaken fluidity
to Seaborgium
Bogus opening of relief valves
PROCESS FEEDBACK
SG level response not given
SG Pressure truncated
Steam generator water level overdue or
inappropriate
Incorrect SG seclusion indication
![Page 31: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/31.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Main steam line activity
Contradictory data signifying a wrong
circumstance where close valve would be
desirable
Voting system functions inappropriately
giving incorrect measures
Sensor Failure
OUTSIDE INFORMATION
PZR pressure sign overdue
PZR response lost
Wrong PZR pressure response
Wrong response displays PZR level as
truncated
Wrong indication of start of SI
Incorrect Fractional cool down started
indication
Startup/shutdown not documented
Incorrect grouping of pointers from the 4
divisions
OPERATOR
Operator assumes that Steam Generator
Tubes are ruptured when they are not
Operator assumes that the main steam
line has a leakage when it does not
Operator assumes that the main feedwater
has a leakage when it does not
Operator muddled concerning the
methods to be used
Operator muddled for the reason that of
contradictory pointers
Blank screen brings operator to consider
circumstances to be diverse
Incorrect warning of radiation
Close wrong valve, other SG
CAUSAL FACTORS LEADING TO AN
OPERATOR CONTROL ACTION NOT
BEING FOLLOWED
Besides recognizing the reason for providing
UCAs, it is significant to examine the way the
safe control actions are used. This section
classifies the violations of the safety
constraints despite safe control actions are
offered. Figure 11 depicts areas of the control
loop in which more amounts of causal factors
can be directed to a damage of Safety
Constraints 1 to 6. (Refer Fig. 11)
SC 1: MSIV need to be closed when a
leakage is detected (rupture in the SG tube,
![Page 32: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/32.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
leak in main feed water, or leak in main steam
line) and the support systems are ample.
SC 2: MSIV should be closed when there is
a main feedwater or main steam line leakage
and other support systems are insufficient.
Basic Scenario: Operator provides Close
MSIV command, but MSIV does NOT close
NSSC
Physical damage/failure
Does not identify operator command
Manufacturing faults
Insufficient process
Deficit of electric power
PM
Incorrect precedence set that instigated
the PM to overlook the close command
Does not distinguish PS or manual
command
Physical damage/failure
Improper Functioning of Multiplex
circuit
An operation (for example checking
status of MSIV actuators) is time
consuming and PM overlooks new
commands
Two contradictory commands arise
simultaneously, from different
controllers: the first one with lesser
priority than the second one.
PM beforehand obtained interlock
command from PS or other controller
initiating PM to overlook operator
commands to close MSIV
Contradictory commands are sent
(operator/PS, PS/DAS, etc.)
Manufacturing faults
Deficit of electric power
MSIV SENSOR
States that the device is functional when
it is not
States the valve position as open when it
is not
Physical damage/failure
Manufacturing flaws
Deficit of electric power
![Page 33: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/33.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
MSIV ACTUATOR
If there is inaccessibility of the oil pump
and the MSIV is by this time open, then it
inevitably stays open for a specific
duration
Mechanical failure in the dump valves,
avoiding the oil from reaching the tank
Remains or residues stop the valve from
being closed
The nitrogen pressure in the upper
chamber is not sufficient to close the
valve that was not documented
consequently
Upper chamber is in repair to reinstate
pressure
Dump valves are inoperable because of
mechanical failures
Physical damage/failure
Manufacturing flaws
Deficit of electric power
MSIV
The pressure in the lower chamber does
not descent
The gate of the valve is jammed and does
not move
Upper has less pressure that makes a
vacuum stopping the piston from moving
The upper chamber pressure is not
sufficient to drive the piston
Remains or residues in the valve avert it
from closing
Physical damage/failure
Manufacturing flaws
SAFETY CONSTRAINTS 3-6:
SC 3: MSIV must not be closed when there
is a SGTR and care systems are lacking
SC 4: MSIV must not be closed ahead of time
when SG pressure is excessively high
SC 5: MSIV must not be closed belatedly
after rupture/leakage (in the SG tube, main
feedwater, or main steam line)
SC 6: MSIV must not be closed when there
is no rupture/leakage
Basic Scenario: Operator does not provide
Close MSIV command, but MSIV closes
NSSC
![Page 34: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/34.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Physical damage/failure
Certain fault in NSSC process
NSSC has manufacturing flaw
Manufacturing flaws
Deficit of electric power
Insufficient algorithm
PM
PM controls the execution of command
requests by reason of interlock dispensed
by PS. This reasons suspending a new
command
Incorrect precedence set
Does not identify PS or manual command
Physical damage/failure
Improper functioning of Multiplex circuit
Inconsistent commands are sent
Manufacturing flaws
Deficit of electric power
MSIV SENSOR
Describes the device as inoperable when
it is
Displays valve position as closed when it
is open or only partially closed
Physical damage/failure
Manufacturing flaws
MSIV ACTUATOR
The oil pump might have mechanical
difficulties that instigate the valve to
typically be kept open, producing
postponement
The guides are de-energized, then the
dump valve opens which closes the valve
in advance
Automated Dump valve failure
Mechanical failure dumps the hydraulic
oil from lower chamber and closes valve
Closure Test produces it to be
unintentionally closed
Physical process failure
Manufacturing flaws
Deficit of electric power
MSIV
Leakage in the upper chamber makes
pressure to be inadequate to close the
![Page 35: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/35.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
valve at the correct time, therefore there
is deferral
To keep the valve open, a disparity is set
up amid the required pressure, in the oil
chamber, and the tangible pressure
employed that will affect the oil pressure
to be insufficient for keeping it open
A disparity amid the least pressure in the
nitrogen chamber essential to close the
valve will affect the pressure that was
applied which will be is higher than the
required pressure applied which might
not let the valve to be opened
Physical damage/failure
Manufacturing flaws
DAS CAUSAL FACTORS
UCA 1: Close MSIV not provided when
there is a leakage (rupture in the SG tube, leak
in main feedwater, or leak in main steam line)
and the support systems are sufficient
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY
FEEDWATER SYSTEM)
A simultaneous circumstance that can
conceal the other
The development of the occurrence is
time consuming
Actuation of CVCS can be a replacement
for the damage of coolant inventory
making DAS delay actuation
PROCESS FEEDBACK
SG level response lost, overdue or
inappropriate (Refer Fig. 12)
SG Pressure incorrect
Steam generator water level overdue
Main steam line activity incorrectly
designated
Contradictory data representing a wrong
condition
Voting system does functions
inappropriately providing incorrect
measures
No sign of incomplete cool down started
Sensor failure
OUTSIDE INFORMATION
PZR pressure deferred
PZR response lost
![Page 36: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/36.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Incorrect response designates PZR level
is normal
No sign of SI started
Deferred sign of SI started
Permissive erroneously in effect
Incorrect grouping of pointers from the 4
divisions
DAS- DIVERSE ACTUATION SYSTEM
DAS does not know when the Steam
Generator is ruptured
DAS does not know when the main steam
line has a leakage
DAS does not know when the main
feedwater has a leakage
DAS does not know that PS is faulty or
obsolete and does not take control
DAS has no power provided
DAS uses improper algorithm
DAS has incorrect process model
Physical damage/failure
Manufacturing flaws
Deficit of electric power
UCA 2: Close MSIV not provided when
there is a main feedwater or main steam line
leakage and other support systems are
insufficient
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY
FEEDWATER SYSTEM)
A parallel condition can conceal the other
The development of occurrences is time
consuming
Actuation of CVCS is a replacement of
the damage to the coolant inventory
making DAS delay actuation.
PROCESS FEEDBACK
SG level response lost, overdue or
improper
SG Pressure incorrect
Steam generator water level overdue
Contradictory data representing a wrong
condition
Voting system functions incorrectly
giving incorrect measures
![Page 37: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/37.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
No sign of fractional cool down started
Sensor failure
OUTSIDE INFORMATION
PZR pressure overdue
PZR response lost
Wrong response specifies PZR level is
normal
No sign of SI introduced
Deferred sign of SI introduced
Permissive incorrectly in effect
Incorrect grouping of pointers from the 4
divisions
DAS- DIVERSE ACTUATION SYSTEM
DAS does not recognize the main steam
line has a leak
DAS does not recognize the main
feedwater has a leak
DAS incorrectly believes problem is
SGTR when there is actually a main
steam line or main feedwater leak
DAS does not know that PS is broken or
obsolete and does not take control
DAS has no power supplied
DAS uses a faulty algorithm
DAS has erroneous process model
Physical damage/failure
Manufacturing flaws
Electric power deficit
UCA 3: Close MSIV provided when there is
a SGTR but support systems are scarce
SECONDARY COOLING SYSTEM
A simultaneous condition will conceal
the other and other support systems will
seem sufficient
PROCESS FEEDBACK
SG level response not given
SG Pressure incorrect
Steam generator water level incorrect
Contradictory data demonstrating a
wrong condition
Voting system works incorrectly giving
incorrect measures
Sensor failure
![Page 38: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/38.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
OUTSIDE INFORMATION
Incorrect grouping of pointers from the 4
divisions
PZR pressure overdue or lost
Wrong sign SI started
DAS - DIVERSE ACTUATION SYSTEM
DAS does not know that the support
systems are inoperable because of
contrasting information
DAS erroneously considers the issue with
the main steam line leakage or feedwater
leakage when it is really SGTR
DAS has an insufficient process
DAS closes the valve when the other SG
valves are in upkeep
Physical damage/failure
Manufacturing flaws
UCA 4: Close MSIV provided in advance
(while SG pressure is high)
SECONDARY COOLING SYSTEM
A synchronized condition can conceal the
other
The development of the occurrence is
time consuming
Actuation of CVCS is a replacement of
the damage to the coolant inventory
making DAS delay actuation
PROCESS FEEDBACK
SG level response not specified
SG Pressure is incorrect
Steam generator water level overdue
Main steam line activity incorrectly
shown
Contradictory data representing an
incorrect circumstance
Voting system works inappropriately
giving incorrect measures
Sensor failure
OUTSIDE INFORMATION
PZR pressure deferred
PZR response lost
Incorrect response specifies PZR level is
normal
No sign of SI started
![Page 39: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/39.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
No sign of fractional cool down started
Permissive incorrectly in effect
Incorrect grouping of pointers from the 4
divisions
DAS - DIVERSE ACTUATION SYSTEM
DAS has contradictory data
demonstrating it is by this time safe to
start action after signs authorize
rupture/leakage
Physical damage/failure
Manufacturing flaws
DAS has a poor algorithm
DAS has erroneous process model
UCA 5: Close MSIV command provided
belatedly after rupture/leakage (in the SG
tube, main feedwater, or main steam line)
SECONDARY COOLING SYSTEM
A simultaneous condition that will
conceal the other
the development of the occurrence is time
consuming
Actuation of CVCS is an alternate to the
damage caused to the coolant inventory
making DAS delay actuation.
PROCESS FEEDBACK
SG level response not specified
SG Pressure is incorrect
Steam generator water level postponed
Main steam line activity incorrectly
designated
Contradictory data demonstrating an
incorrect condition
Voting system will function unsuitably
giving incorrect measures
Sensor failure
OUTSIDE INFORMATION
PZR pressure overdue
PZR response lost
Wrong response designates PZR level is
normal
No sign of SI started
No sign of fractional cool down started
![Page 40: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/40.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Permissive incorrectly in effect
Incorrect grouping of pointers from the 4
divisions
DAS - Diverse Actuation System
DAS does not know the actual condition
up until it is belated after SGTR
DAS does not know the actual condition
up until it is belated subsequent to the
main steam line leakage
DAS does not know the actual condition
up until it is belated subsequent to the
main feedwater leak age
DAS has an improper algorithm
DAS has an incorrect process model
Physical damage/failure
Manufacturing flaws
Electric power deficit
Causal Factors Leading to DAS Control
Actions Not Being Followed (Refer Fig. 13)
SC 1: MSIV must be closed during leakage
(rupture in the SG tube, leak in main
feedwater, or leak in main steam line) and the
support systems are sufficient.
SC 2: MSIV must be closed during a main
feedwater or main steam line leakage and
other support systems are scarce.
Basic Scenario: DAS gives Close MSIV
command, but MSIV does NOT close
PRIORITY MODULE
Incorrect precedence set instigating PM
to overlook the close command
Does not identify DAS command
Physical damage/failure
Faulty Multiplex
Certain functionalities expend more time
than required and PM overlooks the new
commands
Two contrasting action commands arise
simultaneously from dissimilar
controllers: the first one with less
precedence than the second one
PM had obtained an interlock command
from PS; however PS goes down right
subsequently hence PM pauses to obtain
new commands and does not take new
commands
Contradictory commands are sent
(operator/PS, PS/DAS, etc.)
![Page 41: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/41.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Manufacturing flaws
Electric power deficit
MSIV SENSOR
Describes if the device is functioning
when it is not
Describes the valve position as open
when it is not
MSIV ACTUATOR
If there is inaccessibility of the oil pump
and in case the MSIV is already open,
then it automatically stays open for some
time
Mechanical failure in the dump valves,
averting the oil from pending to the tank
The residue or remains avert the valve to
be closed
The nitrogen pressure in the upper
chamber, is inadequate to close the valve
that was not described earlier
Upper chamber is in upkeep to reinstate
pressure
Dump valves remain closed attributed to
mechanical failures
Physical damage/failure
Manufacturing flaws
Electric power deficit
MSIV VALVE
Leakage in the upper chamber creates
pressure but it is inadequate to close the
valve at the correct time, therefore there
is postponement
An incongruity amid the essential
pressure in the oil chamber, to leave the
valve open and the real pressure implied,
and thereby may instigate that the oil
pressure is insufficient to leave it open
which makes it to close
A disparity amid the least pressure in the
nitrogen chamber essential to close the
valve possibly will produce that the
pressure implied is greater than the
required pressure and this could instigate
the valve to be closed
Physical damage/failure
Manufacturing flaws
SAFETY CONSTRAINTS 3-6:
![Page 42: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/42.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
SC 3: MSIV must not be closed when there
is a SGTR and support systems are
insufficient
SC 4: MSIV must not be closed in advance
when the SG pressure is extremely high
SC 5: MSIV should not be closed belatedly
after rupture/leakage (in the SG tube, main
feedwater, or main steam line)
SC 6: MSIV sshould not be closed when
there is no rupture/leakage
Basic Scenario: DAS does not provide Close
MSIV command, but MSIV closes
PRIORITY MODULE
PM retains the execution of command
requests because of interlock dispensed
by PS resulting in postponing a new
command
PM obtains close command from another
controller
Incorrect precedence set
Does not make out PS or manual
command
Physical damage/failure
Multiplex broken
Inconsistent commands are shown
(operator/PS, PS/DAS, etc.)17
Physical damage/failure
Manufacturing flaws
Electric power deficit
MSIV SENSOR
Describes the device that is non-
functional when it is
Depicts the valve position as closed when
it is open or only to some extent closed
Physical damage/failure
Manufacturing faults
MSIV ACTUATOR
The oil pump could have mechanical
glitches that produce the valve to
inevitably be left open that causes
postponement
The guides are de-energized and the
dump valve opens that will close the
valve ahead in time
Mechanical disaster in the dump valve
![Page 43: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/43.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Mechanical disaster leaves the hydraulic
oil from lower chamber and closes the
valve
Examination of closure brings about to be
accidentally shut
Physical damage/failure
Manufacturing shortcomings
Deficit of electric power
MSIV VALVE
Leakage in the upper chamber drives the
pressure to be inadequate to close the
valve at the correct time causing
postponement
A gap amongst the essential pressure in
the oil chamber to retain the valve open
and the tangible pressure implied
possibly will make the oil pressure to be
insufficient to keep it open which will
make it to close
A gap amid the least pressure in the
nitrogen chamber needed to close the
valve might instigate that the pressure
implied is more than what is required
which will make the valve to be closed
Physical damage/failure
Manufacturing deficiencies
3.7.3 PS Causal Factors
Causal Factors Leading to PS Unsafe
Control Actions (Refer Fig. 14)
UCA 1: Close MSIV not offered when a
leakage occurs (rupture in the SG tube, leak
in main feedwater, or leak in main steam line)
and the support systems are ample
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY
FEEDWATER SYSTEM)
A synchronized state that can conceal the
other
The development of the occurrence is
time consuming
Actuation of CVCS will replace the
damage caused to the coolant inventory
driving PS delay actuation.
PROCESS FEEDBACK
SG level response lost, overdue or
improper
SG Pressure is incorrect
Steam generator water level deferred
![Page 44: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/44.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Main steam line activity incorrectly
designated
Contradictory data specifying a
fabricated state
Voting system will function incorrectly
giving faulty measures
No sign of fractional cool down started
Sensor failure
OUTSIDE INFORMATION
PZR pressure postponed
PZR response omitted
Incorrect response specifies that the PZR
level is normal
No sign of SI started
Deferred sign of SI started
Permissive erroneously in effect
Incorrect grouping of pointers from the 4
divisions
PS-PROTECTION SYSTEM
PS will not know if the Steam Generator
is ruptured
PS will not know if there is a leakage in
the main steam line
PS will not know if there is a leakage in
the main feedwater
There is a deficit of power supply in PS
PS uses wrong algorithm
PS has a manufacturing flaw
Physical damage/failure
There is no electric power
PS has erroneous process model
UCA 2: Close MSIV not provided when
there is a main feedwater or main steam line
leakage and other support systems are scarce
SECONDARY COOLING SYSTEM
(CVCS OR EMERGENCY
FEEDWATER SYSTEM)
A concomitant condition that conceals
the other
The development of the occurrence is
time consuming
Actuation of CVCS will be a replacement
for the damage caused to the coolant
inventory driing PS interrupt actuation.
![Page 45: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/45.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
PROCESS FEEDBACK
SG level response lost, overdue or
improper
SG Pressure is incorrect
Steam generator water level overdue
Contradictory data signifying an
incorrect condition
Voting system will function improperly
giving incorrect measures
No sign of fractional cool down started
Sensor failure
OUTSIDE INFORMATION
PZR pressure postponed
PZR response omitted
Incorrect response specifies that the PZR
level is normal
No sign of SI started
Overdue sign of SI started
Permissive erroneously in effect
Incorrect arrangement of pointers from
the 4 divisions
PS-PROTECTION SYSTEM
PS will not know if there is a leakage in
the main steam line
PS will not know if there is a leakage in
the main feedwater
PS will assume that there is an SGTR
when there is really a main steam line or
feedwater leakage
There is a deficit of power supply in the
PS
PS uses wrong algorithm
PS has an improper process model
PS has a manufacturing fault
Physical damage/failure
Deficit of electric power
UCA 3: Close MSIV provided when there is
a SGTR but support systems are scarce
SECONDARY COOLING SYSTEM
A parallel condition will conceal the
other and other support systems will seem
to be sufficient
![Page 46: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/46.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
PROCESS FEEDBACK
SG level response not given
SG Pressure incorrect
Steam generator water level incorrect
Inconsistent data signifying a wrong
condition
Voting system functions
inappropriately providing incorrect
measures
Sensor failure
OUTSIDE INFORMATION
Incorrect grouping of pointers from the 4
divisions
PZR pressure postponed or lost
Wrong indication SI started
PS-PROTECTION SYSTEM
PS will not know if the support systems
are inoperable attributed to the
inconsistent data
PS assumes that there is a leakage in the
main steam line or feedwater it is in fact
an SGTR
PS has a poor algorithm
PS has an incorrect process model
PS closes valve when the other SG valves
are in upkeep
PS has a manufacturing fault
Physical damage/failure
Manufacturing deficiencies
No electric power
UCA 4: Close MSIV provided ahead of time
(while SG pressure is high)
SECONDARY COOLING SYSTEM
A coexisting condition will conceal the
other
Event progresses too slowly to detect
Actuation of CVCS will act as a
substitute for the damage caused to the
coolant inventory delaying PS actuation.
PROCESS FEEDBACK
SG level response not specified
SG Pressure incorrect
Steam generator water level deferred
![Page 47: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/47.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Main steam line activity incorrectly
specified
Inconsistent data signifying a wrong
condition
Voting system will function incorrectly
giving improper measures
Sensor failure
OUTSIDE INFORMATION
PZR pressure deferred
PZR response lost
Wrong response designates that the PZR
level is normal
No sign of SI started
No sign of fractional cool down started
Permissive incorrectly in effect
Incorrect mixture of pointers from the 4
divisions
PS-PROTECTION SYSTEM
PS has a poor algorithm
PS has contradictory data signifying it is
now safe to start action subsequently
indicates approved rupture/leakage
Physical damage/failure
Manufacturing shortcomings
Deficit of electric power
UCA 5: Close MSIV provided belatedly after
rupture/leakage (in the SG tube, main
feedwater, or main steam line)
SECONDARY COOLING SYSTEM
A simultaneous condition will conceal
the other
The development of the occurrence is
time consuming
Actuation of CVCS will be a substitute
for the damage to the coolant inventory
driving PS delay actuation.
PROCESS FEEDBACK
SG level response not specified
SG Pressure is incorrect
Steam generator water level overdue
Main steam line activity incorrectly
specified
Inconsistent data signifying an incorrect
condition
![Page 48: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/48.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Voting system will work incorrectly
giving improper measures
Sensor failure
OUTSIDE INFORMATION
PZR pressure overdue
PZR response lost
Wrong response specifies PZR level is
normal
No sign of SI started
No sign of incomplete cool down started
Permissive erroneously in effect
Incorrect arrangement of pointers from
the 4 divisions
PS-PROTECTION SYSTEM
PS will not know the actual condition
until it is too late subsequent to SGTR
PS will not know the actual condition
until it is too late subsequent to the main
steam line or feedwater leakage
PS has a poor algorithm
PS has an erroneous process model
PS has a manufacture fault
Physical damage/failure
Electric power shortage
UCA 6: Close MSIV provided when there is
no rupture/leakage
SECONDARY COOLING SYSTEM
Feedwater pumps functioning incorrectly
Condenser leaking
Excessive mud in water
Objects in water that could cut fluidity to
SG
False opening of relief valves
PROCESS FEEDBACK
SG level response not given
SG Pressure less
Steam generator water level postponed
Wrong SG seclusion signal
Main steam line activity
Contradictory data signifying a wrong
condition where the close valves are
required
![Page 49: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/49.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Voting system will work incorrectly and
provides incorrect wrong measures
Sensor Failure
OUTSIDE INFORMATION
PZR pressure postponed
PZR response lost
Incorrect PZR pressure
Incorrect response specifies PZR level is
small
Incorrect sign of start of SI
Wrong Fractional cool down started
indication
Startup/shutdown unrecognized
Incorrect grouping of pointers from the
4 divisions
PS-PROTECTION SYSTEM
PS has incorrect data specifying Steam
Generator tubes are ruptured when they
are not
PS has incorrect evidence demonstrating
that main steam line or feedwater has a
leakage when they do not
PS has an erroneous process model
PS has a poor algorithm
PS has a manufacture flaw
Physical damage/failure
Electric power deficit
CAUSAL FACTORS LEADING TO PS
CONTROL ACTIONS NOT BEING
FOLLOWED (Refer Table 15)
SC 1: MSIV should be closed if a leakage is
detected (rupture in the SG tube, leak in main
feedwater, or leak in main stream line) and
the support systems are acceptable.
SC 2: MSIV should be closed if a leakage is
detected in the main feedwater or main steam
line leak and other support systems are
insufficient.
Basic Scenario: PS provides Close MSIV
command, but MSIV does NOT close
PRIORITY MODULE
Incorrect precedence set that instigates
the PM to overlook the close command
Does not distinguish PS command
Physical damage/failure
![Page 50: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/50.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Multiplex is faulty
An operation is highly time consuming
than anticipated and PM overlooks the
new commands
Two contradictory action commands
arise simultaneously from dissimilar
controllers: the first one with less
precedence than the second one
PM obtained an interlock command from
PS that is not which is not eliminated
hence PM will not take new commands.
Contradictory commands are sent
(operator/PS, PS/DAS, etc.)
Manufacturing faults
Electric power deficit
MSIV SENSOR
Describes the device as functional when
it is not
Describes the valve position as open
when it is not
Physical damage/failure
Manufacturing faults
Electric power deficit
MSIV ACTUATOR
If there is inaccessibility of the oil pump
and the MSIV is by now open, then it
inevitably stays open for some time
Mechanical failure in the dump valves
that stop the oil from reaching the tank
Residue or remains stop the valve to be
closed that drives it to be open
The nitrogen pressure in the upper
chamber is insufficient to close the valve
Upper chamber is in upkeep to reinstate
pressure
Dump valves are closed attributed to
mechanical failures
Physical damage/failure
Manufacturing faults
Electric power deficit
MSIV VALVE
Leakage in the upper chamber generates
less pressure which is insufficient to close
the valve at the correct time, causing
postponement
![Page 51: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/51.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
A disparity amid the required pressure in
the oil chamber to leave the valve open
and the real pressure implied possibly
will cause the oil pressure to be less and
insufficient to keep it open resulting in
closing it
A disparity amid the least pressure in the
nitrogen chamber required to close the
valve might set off the pressure implied
which is greater than the required
pressure thus causing the valve to be
closed
Physical damage/failure
Manufacturing faults
SAFETY CONSTRAINTS 3-6
SC 3: MSIV should not be closed when there
is a SGTR and support systems are not
sufficient
SC 4: MSIV should not be closed way ahead
of time while SG pressure is excessively high
SC 5: MSIV should not be closed belatedly
after rupture/leakage (in the SG tube, main
feedwater, or main steam line)
SC 6: MSIV should not be closed when there
is no rupture/leakage
Basic Scenario: PS will not provide Close
MSIV command, but MSIV closes
PRIORITY MODULE
PM controls the execution of command
requests because of the interlock
dispensed by PS which instigates an
overdue in a new command
Incorrect precedence settings
Does not identify PS or manual command
Physical damage/failure
Multiplex is faulty
Contradictory commands are sent
(operator/PS, PS/DAS, etc.)22
Manufacturing faults
Electric power shortage
MSIV SENSOR
Describes the device as inoperable when
it is
Depicts the valve position as closed when
it is open or only partly closed
Physical damage/failure
Manufacturing faults
![Page 52: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/52.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Electric power shortage
MSIV ACTUATOR
The oil pump could face mechanical
problems that trigger the valve to
inevitably be kept open that causes an
overdue
The guides are de-energized and then the
dump valve opens that will close the
valve way ahead of time
Mechanical fiasco in the dump valve
Mechanical failure tips the hydraulic oil
from lower chamber and closes valve
Examination of closure reasons it to be
unintentionally closed
Physical damage/failure
Manufacturing faults
Electric power shortage
MSIV VALVE
Leakage in the upper chamber builds less
pressure that is insufficient to close the
valve at the correct time causing overdue
A disparity amid the essential pressure in
the oil chamber, to have the valve open
and the real pressure used, will lead to the
oil pressure insufficient to leave it open
that leads to closing it.
A disparity amid the least pressure in the
nitrogen chamber required to close the
valve could lead to the pressure applied
that is greater than the required pressure
which will possibly instigate the valve to
be closed
Physical damage/failure
Manufacturing faults
EXTENSION TO MULTIPLE STEAM
GENERATORS
Up until now, the investigation has measured
a single Steam Generator and a single MSIV.
Yet, the outcomes can be protracted to
manifold Steam Generators devoid of
reiterating the complete investigation. One
method is to review the current background
tables to replicate the control action “Close
MSIV #1”. For the reason that any feedwater
or steamline leak relating to SG #1 will mark
the control action “Close MSIV #1” in an
analogous method as for the single SG
system, these columns can continue to be
similar. Likewise, a Steam Generator Tube
Rupture in SG #1 is pertinent to the shutting
of MSIV #1, nevertheless a Steam Generator
![Page 53: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/53.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Tube Rupture in other Steam Generators has
no impact on the closure of MSIV #1. Thus,
the values in the column Steam Generator
Tube Rupture may well be substituted with
“SG #1 ruptured” and “SG #1 not ruptured”,
at the same time as retaining the remnants of
the table as it is. Correspondingly, the
subsequent table can then be transformed for
the further three MSIV commands by merely
swapping #1 with #2, #3, or #4. If all the
surplus SG can reimburse for the heat
exchange completed by another SG then the
description of “other support systems” in will
be prolonged to consist of the other SGs.
LIMITATIONS OF THIS ANALYSIS
This research does not comprise of a
comprehensive low-level evaluation through
to the distinct mechanisms including PLDs
inside PM. The researchers lacked time as
well as resources in this research grant to
evaluate down to that level which was not the
purpose of the research. While STPA is a top-
down evaluation, this assessment was carried
out from the highest level (accidents and
hazards) downward to the component level to
detect the control defects which instigate
accidents. The possible defects and safety
restraints that were obtained must be the
initial point for a thorough evaluation. For
instance, it was detected that the system was
designed in a way that an erroneous
precedence set would lead to an accident
particularly if MSIV close commands are
disregarded. Further, there are several
possibilities such as changing the system
architecture or imposing limitations on lower
levels that would avert the accidents.
Imposing limitations is obtained by making
the precedence settings static inside the PM
and eliminating the programmability to
ensure that MSIV commands are never
disregarded by the PM internal logic and
PLD design. Indubitably all the possible
elucidations should be reviewed to guarantee
other safety limitations are not desecrated
and new accidents are not presented.
RESULTS OF THE ANALYSIS
While this research included a restrained
segment of the secondary cooling system,
there are few significant perceptions that are
consequential from it by assessing the reason
of UCA for the presumed situations. For
instance, the trouble of discovering a Steam
Generator Tube Rupture (SGTR) by means
of a normal indicator, leads to a postponed
response by the automatic controllers and the
operator. The present result depends upon the
operator’s capability to ascertain and
arbitrate in specific cases. Trusting on the
operator, contrariwise possibly will not be
![Page 54: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/54.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
useful due to aspects that impact the operator
administrative process. Such aspects are
recognized in STPA Step 2 as conceivable
reasons for the operator not to offer the
control action to close the MSIV or to make
it available belatedly. The recognized aspects
ought to be employed to enhance the design
and make it error-free.
A rational suggestion for instance, is for
regulators to inquire the designers to make
the indicators easier for the case of SGTR by
producing the level of radiation at the Main
Steam Line a main sign to segregate the
concerned SG. Hence, the Protection System
(PS) will ascertain the occurrence
beforehand. In the present design, a signal of
radioactivity is inadequate for the PS to take
action. Consequently, there are extra
situations wherein the operator and the PS
will take action. The operator can sense a
constrain to avert bogus closures and they
will have to delay to obtain convincing
confirmation of the actual difficulty. Such
responses are common recognized by human
components in several true accidents. While
there may be circumstances wherein,
subsequent to years of work, the operator
acquires knowledge on the automated
controls that deal with occurrences and turns
out to be more confident in its right operation.
The over-dependability will indicate non-
action or suspended action despite other
evaluations have presumed the operators may
instantly respond.
However attributed to inclination of the
nuclear industry towards acknowledging the
operator or specific devices, the evaluation
for the accidents are required to be done by
the operator that ought to ascertain and solve
the issues suitably in any circumstance. This
is achieved by the evaluation of insignificant
cases against the severe cases. STAMP offers
a generic replacement that comprises of
impending circumstances to the damages and
is able to indicate the operators and the
erroneous situations in the design in order to
ascertain the shortcomings of the system.
It is significant to recognize the elements in
which a constituent such as the operator,
possibly will not perform effectively and
expend those elements to enhance the design
of the system. The substitute is to merely
denunciate the operators subsequent to an
accident for being unable to know and
resolve the issue as expected. Newer NPP
designs are employing the operators in an
extremely automatic setting and expressing
that the PS is able to cope with majority of
the concerns. There are several refined
circumstances wherein the PS will be
![Page 55: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/55.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
inoperable, or in the worst case overlook the
issues and not warning the operator since it is
expected that the operator will find the issue
and solve it. Supposing that A is not safety-
critical as B subsists as a substitute to A and
that B is not safety-critical since it is just a
substitute system and drives to rational
questions and, supposedly accidents. A worst
case evaluation is essential which will
presume that there may be design faults or
common-cause/common-mode failures in A
and B.
With the emergence of digital systems the
concerns are aggravated. Software lets
exceedingly multifaceted systems to be
shaped. Despite the fact that classifying the
safety-critical against the non-safety-critical
constituents in a NPP was comparatively
forthright for mainly the electromechanical
designs, the all-encompassing usage of
software enables a highly composite design
than was available earlier and the prospects
for accidental and sudden interfaces amid the
constituents. When there are higher number
of interfaces amid the system constituents
and there are highly multifaceted functional
design, the prospects for accidental impacts
are high, thus there arise more chances for
UCA that can drive towards dangers.
It is highly difficult to incorporate exhaustive
system testing with software-intensive
systems. In the event of testing each
constituent of the system exhaustively, it will
not ensure system safety. The interfaces amid
the PM and other controllers and equipment
are in a way that all the constituents are able
to function in a feasible way in regard to the
local environment and information that was
found. However, from a universal systems
point of view the amalgamated behavior of
numerous constituents might be unsafe. For
instance, aforementioned, the PS might not
take action in several circumstances in which
the operator involvement is necessary. The
operator might pause for the automatic PS to
take action. The STPA investigation in this
case study was restricted in latitude to the
MSIV commands and openly accessible
material, nevertheless an additionally
comprehensive STPA evaluation appears
reasonable because of the vital prominence of
this equipment in the control system.
By means of a hazard analysis system
grounded on STAMP lets a broad analysis
that comprises of measures wherein there
was no failure but the hazards mount
attributed to unsafe connections between
constituents. Detecting the shortcomings in
the general PWR design is likely by means of
![Page 56: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/56.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
STPA as STPA analysis investigates the
connections between the controllers and
system constituents. These flaws are
implausible to be detected by hazard analysis
methods which were on the basis of the
suppositions concerning the accidents as a
result of chains of failure of the constituents.
While there are just few faults that can be
detected in the analysis, a comprehensive and
thorough modeling and analysis would reveal
higher elucidations.
POTENTIAL USE OF STPA IN
LICENSING
STAMP offers a detailed foundation for
examining safety and licensing NPPs. The
benefits of STAMP are outlined below.
CLASSIFICATION OF COMPONENTS
AS SAFETY-RELATED VS. NON-
SAFETY-RELATED
In the NPPs, ascertaining the safety-critical
versus non-safety-critical constituents was
comparatively simpler for main
electromechanical designs. However, the
ample usage of software enables a highly
multifaceted design and the likelihood of
accidental and unforeseen interfaces amid the
constituents. STPA will not commence with
a notion that some equipment or controllers
are safety-related and non-safety-related.
Rather, a significant set of output of STPA is
a set of UCA for all the controllers examined
and their impact on a danger. The UCA that
are detected in Step 1 delineate the
contribution of a controller to a dangerous
condition. The output of STPA hence can be
employed to categorize the constituents as
safety-related or non-safety-related or to
validate a current arrangement. STPA Step 2
drives ahead regarding all the constituents—
comprising sensors, actuators, logic devices,
and communication paths—can give to
dangerous circumstances. Experts are able to
detect the hazardous behavior pertinent to the
interfaces amidst the constituents that else
would not be apprehended by outdated
analyses.
While there must be liberty among the safety-
related and non-safety-related controllers as
categorized in the U.S. EPR system, the
STPA analysis on the case study system
illustrates that few systems that were
categorized as non-safety-related may even
now give to hazardous situations and are not
really autonomous from safety-related
systems and tasks. Considering NSSC, which
is demarcated as a non-safety related
controller, might obstruct or delay the
efficacious closure of the MSIV as required
by stating an inaccurate response to the
operator or operating in unsafe or startling
![Page 57: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/57.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
manner after getting a close MSIV command
from the operator. As follows, by means of
the communication with many safety-related
controllers, NSSC is able to impact their
capacity to achieve their safety-related
functions.
IDENTIFYING POTENTIAL
OPERATOR ERRORS AND THEIR
CAUSES AND SAFETY CULTURE
FLAWS
STAMP/STPA considers the operator as a
vital part of the system and consequently an
important part of the hazard analysis. Aspects
including “pressure to save time and money”
are noted as hazardous such as a mechanical
failure of a constituent and can be
apprehended in this method.
BROADENING THE ANALYSIS AND
OVERSIGHT
Several facets of the general socio-technical
system can similarly be comprised in the
STPA analysis while they were not
encompassed in the case study for this report.
The NRC has accountability for supervision
of the safety culture and many facts of the
NPP operations. The addition of social,
organizational, and decision-making features
in the hazard analysis might classify possible
hazards and foremost indicators of growing
hazards that the regulators can utilize to
check the effectiveness by the services.
ASSISTING IN UNDERSTANDING
APPLICANT FUNCTIONAL DESIGNS
The exemplary of the safety control structure
built as fragment of the STPA analysis can
benefit the supervisory consultants to enrich
their perception of the practical design of the
system and to assist in interaction and
transactions with claimants. In execution of
this case study, it was revealed that the
current records for the system gave a
complete depiction of the physical design;
then again there was complexity in mining
the functional or logical design from these
records. The control structure illustrations
will aid in offering this information and
recognizing the lost data or indefinite design
explanations.
The records for STPA will similarly simplify
the deliberations among the authorities from
diverse fields, who are bound to express in a
diversity of technical languages and may
have dissimilar outlooks and precedence. It
was then found that by using a control
structure model of the system, it could benefit
with communication between varied groups
regarding the functionality that was initially
given by the system design.
![Page 58: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/58.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
ENHANCING THE REVIEW OF
CANDIDATE DESIGNS
STAMP/STPA also may aid by posing as a
platform to offer the consultants with an
expansive and highly general understanding
of the system and can discover surprising or
unforeseen behavior that arises from the
compound interfaces that befall. This
method, aforementioned, has the gain in
capturing human as well as equipment
behavior in the same control-theoretic model.
As the system is molded in a combined
control structure instead of making an
allowance for the constituents in remoteness,
consultants can envisage flaws that otherwise
were impossible.
The Step 1 tables will offer an extensive array
of circumstances that possibly will direct to
UCAs pertinent to the known dangers. These
tables reflect the opportunities of events and
do not rely on the accessibility or correctness
of probabilistic estimations that labels
STAMP/STPA as an influential device to
support in documentation and licensing. All
the UCAs could be unswervingly and
effortlessly transformed into component-
level safety limitations that might be
associated with the safety prerequisites of a
current design to discover the irregularities,
disparities, or incompleteness. The Step 2
analysis leads the detection of probable
reasons of the UCAs and different methods
through which the safety constraints can in
theory are disrupted. These outcomes may
correspondingly be implemented as a manual
for the experts to produce a set of
prerequisites or vindication events that the
licensee has to conform to. In conclusion, the
outcomes of this case study are beneficial as
a foundation to produce several other
constraints that have not been ascertained,
due to the likelihood of rise of newer disputes
subsequent to the understanding of the Step 1
and Step 2 findings.
![Page 59: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/59.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
LIST OF FIGURES:
Figure 1: Controller comprising of a process model
![Page 60: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/60.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 2: An example safety control structure
![Page 61: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/61.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 3: Example Safety Control Structure for the Operating Process in Figure 2
Figure 4: Simple Safety Control Loop for a Train Door Controller
![Page 62: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/62.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 5: Structure of a UCA
Figure 6: A classification of causal factors leading to risks
![Page 63: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/63.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 7: Pressurized Water Reactor (Diagram from AREVA Brochure)
Figure 8: PWR Safety Control Structure
![Page 64: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/64.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 9: Safety Control Structure for MSIV
![Page 65: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/65.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 10: Causal Factors Leading to Operator UCA
![Page 66: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/66.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 11: Causal Factors Leading to Operator Control Actions Not Being Followed
![Page 67: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/67.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 12: Causal factors leading to DAS UCA
![Page 68: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/68.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 13: Causal factors leading to DAS control actions not being followed
![Page 69: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/69.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 14: Causal Factors for PS UCA
![Page 70: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/70.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Figure 15: Causal factors leading to PS control actions not being followed
![Page 71: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/71.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
LIST OF TABLES:
Table 1: Examples of accidents
Table 2: UCA for Simple Train Door Controller
Table 3: Example background table with type provided
![Page 72: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/72.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Table 4: Example background table with type not provided
Table 5: System-level accidents to be stopped
![Page 73: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/73.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Table 6: System-Level risks
Risk Related Accident
R-1: Release of radioactive materials A-1, A-2
R-2: Reactor temperature too high A-1, A-2, A-3, A-4
R-3: Equipment operated beyond limits A-3, A-4
R-4: Reactor shut down A-4
Table 7: UCA for close MSIV
![Page 74: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/74.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Table 8: Background table for Operator provides Close MSIV control action
![Page 75: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/75.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Table 9: Background table for Close MSIV control action is not provided
![Page 76: ESTIMATING THE SAFETY OF DIGITAL INSTRUMENTATION AND ...€¦ · To avert mishaps, the system design must carry out the safety constrictions on system performance. The tangible course](https://reader033.vdocuments.net/reader033/viewer/2022053105/606f74d90759f361985f0eec/html5/thumbnails/76.jpg)
ELK ASIA PACIFIC JOURNAL OF ELECTRONICS AND COMMUNICATION TECHNOLOGY
ISSN 2394-935X (Online); DOI: 10.16962/EAPJECT/issn. 2394-935X/2016; Volume 2 Issue 1 (2016)
………………………………………………………………………………………………
Table 10: Safety Constraints
Unsafe Control Action Safety Constraint
UCA 1: Close MSIV not provided when there is
a SC 1: MSIV must be closed when there is a leak
leak (rupture in the SG tube, leak in main (rupture in the SG tube, leak in main feedwater,
or
feedwater, or leak in main steam line) and the leak in main steam line) and the support systems
support systems are adequate are adequate
UCA 2: Close MSIV not provided when there is
a SC 2: MSIV must be closed when there is a main
main feedwater or main steam line leak and other feedwater or main steam line leak and other
support
support systems are inadequate systems are inadequate
UCA 3: Close MSIV provided when there is a SC 3: MSIV must not be closed when there is a
SGTR but support systems are inadequate SGTR and support systems are inadequate
UCA 4: Close MSIV provided too early (while
SG
SC 4: MSIV must not be closed too early while
SG
pressure is high) pressure is too high
UCA 5: Close MSIV provided too late after SC 5: MSIV must not be closed too late after
rupture/leak (in the SG tube, main feedwater, or rupture/leak (in the SG tube, main feedwater, or
main steam line) main steam line)
UCA 6: Close MSIV provided when there is no SC 6: MSIV must not be closed when there is no
rupture/leak rupture/leak